EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Preventing changes to files

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#30947
Posted: 10/09/2014 18:09:17
by Gregoir Lebrun (Basic support level)
Joined: 10/09/2014
Posts: 7

Hello,

I wanted to check whether it is feasible to implement following scenario using CallBackFilter.

When a user opens a certain file (say "A.txt") with a certain application (e.g. Notepad), the following should be prevented:

1) the user saves changes to the file on disk, and

2) the user makes changes to the in-memory representation of the file, and saves that representation to another file (say "B.txt") using the process he opened the file with.

I managed to implement (1) using an Access Rule with the fltReadOnly Access Flag set, but this approach does not stop the user from saving changes to another file.

Many thanks in advance for your feedback.
#30949
Posted: 10/10/2014 01:00:24
by Eugene Mayevski (EldoS Corp.)

Quote
Gregoir Lebrun wrote:
2) the user makes changes to the in-memory representation of the file, and saves that representation to another file (say "B.txt") using the process he opened the file with.


Unfortunately there is and can be no definite way to track such operation.
Imagine you read "1" number from the file, add 2 in memory and save "3" to another place. How would anything in Universe know, what this "3" is comprised by?


Sincerely yours
Eugene Mayevski
#30953
Posted: 10/10/2014 03:59:59
by Gregoir Lebrun (Basic support level)
Joined: 10/09/2014
Posts: 7

Dear Eugene,

Quote
Unfortunately there is and can be no definite way to track such operation.Imagine you read "1" number from the file, add 2 in memory and save "3" to another place. How would anything in Universe know, what this "3" is comprised by?


Thanks for your feedback.

Is it impossible to track such operations because of limitations of file system filter drivers (which CallbackFilter uses)?

Would it be possible to realize this using kernel API hooking of kernel32.dll functions (e.g. WriteFile and ReadFile) instead ? I know this question is not strictly related to CallbackFilter but I would appreciate your feedback if possible.

Thanks,

Gregoir
#30956
Posted: 10/10/2014 07:55:32
by Eugene Mayevski (EldoS Corp.)

I think once you figure out how to derive "1" from "3" in my example above, you will answer your own question.

There's no deterministic way in the universe to find out whether certain information is derived from the other information.


Sincerely yours
Eugene Mayevski

Reply

Statistics

Topic viewed 1858 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!